Security guidelines for Marketplace Partners

When installing Marketplace apps, many companies are concerned about the risk of using a new app or partner. These guidelines prepare you for some of the more stringent security and risk checks that customers complete as a part of their procurement process. These guidelines address your security practices and aren’t intended to cover the security of your app.

Security checklist

This checklist contains the recommended steps for companies who want to maintain a strong security profile. This is not a comprehensive list, but rather a set of practices we believe are important. You should evaluate these recommendations in the context of your organization and its resources.

We also recommend that you visit the Atlassian Trust site, where we describe Atlassian's core pillars of security, reliability, privacy, and compliance. We aim to be as transparent as possible by publishing details of our security practices such as information about our bug bounty, how we deal with security incidents, and alike.

Workstation and account security

Consider workstation and account security before you start building apps. Compromise of workstations and accounts is one of the bigger security threats; as a malicious actor could use these to get access to your code repositories, your infrastructure, or your workstations directly. From a compromised workstation or account, bad actors could access your customers' data, modify your codebase, or gain access to your other services. To address these issues:

• Encrypt all workstations.
• Implement a patch management process to keep operating systems and software up to date.
• Use a reputable password manager such as LastPass or 1Password, choosing long, unique passwords on every site.
• Enforce multi-factor authentication (MFA) across key accounts such as password managers, email, file-sharing services, and SaaS tools.
• If you can't use MFA (such as on bot accounts, services which do not support 2FA, and other edge cases) use a password manager.
• Know the dangers of phishing and how to spot phishing emails.
• Make sure you have your operating system anti-virus feature turned on or install a third-party anti-virus tool from a reputable vendor.
• Enable a host-based firewall.

Infrastructure security

Most partners creating Marketplace apps for our cloud products use platforms such as AWS, Azure, or Google Cloud Platform. These services should be protected in the same way as workstations but some extra steps are required because these servers are internet-facing and running your app. If a malicious actor was to gain access to the cloud account or the infrastructure it could give them access to the customer data you store or to your app. To address these issues:

• During the setup of an account, follow your cloud provider’s recommended security steps.
• Enforce multi-factor authentication for all accounts.
• Disable unnecessary services on servers, in order to reduce the attack opportunities.
• Implement a patch management system to keep operating systems and software up to date.
• Encrypt data at rest, AES256 or equivalent is recommended.
• When backing up data, apply the same security controls to protect backups as you do for your databases.
• Log information that could make you aware of security breaches. Examples of the information to log include:
  • Pull requests merged without approval.
  • 2FA devices added or removed from your account.
  • Administrative actions such as creating or modifying users.
  • Instances being created.
  • The user agent strings or IP addresses (and therefore countries) of user logins, especially admin users.
• Do not log sensitive data. Make sure you don't log API tokens, passwords, or unnecessary personal information.
• Review logs regularly. If possible automate this process and trigger alerts when certain conditions are found.

Development

One of the more difficult activities on this list is developing secure code. New vulnerabilities are found every day, making staying on top of app security a continuous endeavor. Thankfully there are tools and techniques to help you keep up with these changes, and the core principles of remediating these issues do not change often. To address this issue:

• Enforce multi-factor authentication for all your source code repositories. Source code management systems, such as Bitbucket and Github, make this easy to do.
• Understand Atlassian scopes when building Connect apps. Make sure your app only requests the scopes it needs.
• Use a dependency scanner—such as OWASP Dependency-Check, SourceClear, or Snyk —to find security issues in third-party libraries used in your code.
• Carefully review the OWASP top 10 and watch for these security risks when creating apps.
• Be sure to meet the Security Requirements for Cloud Apps. In order to improve the security of Cloud apps, these requirements are mandatory.
• Review and follow the Security Guidelines for Marketplace Apps. These guidelines will help you make your app more secure.

Policy, processes, and documentation

Provide policy documents so your customers know what you do and how you do it. We recommend that you have a privacy policy and a security policy. Without these you will probably struggle to secure larger, more risk-averse customers as their procurement teams look for these documents as they evaluate new tools and partners. These are the policies, processes, and documentation that you should consider implementing:

Must have:

• Privacy policy
• Security policy
• End user license agreement (EULA)

Recommended:

• Groom security champions. One or more members of your team should dedicate time to learning about security and implementing good security practices in your organization. Without an owner to drive security you can find that security practices fall behind, resulting in technical debt.
• Create a company password policy. We recommend using the identity guidelines from NIST 800-63B. Auth0 publishes a simplified writeup of 800-63B making it easy to understand and implement.
• Create an incident response plan so you know what to do in the case of a security incident.
• Create disaster recovery and business continuity plans so you know what to do when a disaster occurs.
• Implement change management procedures to ensure changes have an approval process and audit trails.

Bug bounty

At Atlassian we use BugCrowd for managing our bug bounty program. This security testing program enables third-party security researchers to report vulnerabilities in our tools and earn money doing so. Read more about Atlassian's approach to external security testing and the benefits we believe it brings to our organization.

As of July 2019, we extended the Bug Bounty Program to Marketplace Partners. As part of this initiative, you get your own program instance on the Bugcrowd platform, at no cost, and are only responsible for bounty payouts for vulnerabilities reported to you. You can scale or pause the program at any time depending on your resources.

Certifications

When you have implemented best-practice security controls and documentation, consider a security audit. Audits are conducted by a third-party. The audit report will tell you where you're doing well, and more importantly, identify areas that need improvement. Consider sharing this report with prospective customers, during their procurement process, to help them evaluate your security controls. There are also certifications available, including some that are country-specific. We recommend that you investigate the two globally recognized certifications:

• SOC2, a useful certification that is completed by most cloud-based companies.
• ISO 27001, a great certification to aim for but companies usually start with SOC2 due to the scope and complexity of this certification.